Varnost Challenge

How to Audit Passwords with the LastPass Security Challenge & Why You Need To

Due to the frequency of large-scale security breaches, it’s only a matter of time before bad password hygiene will burn you.

Whether it’s reusing the same passwords for multiple accounts or using passwords that just aren’t strong enough, bad password hygiene is an unnecessary risk that is easily fixed.

LastPass helps you make immediate changes to your password security by auditing your accounts with the LastPass Security Challenge. With the results, you can track progress as you fortify your online life with stronger passwords.

Why does this matter?

Over 1 billion data records are estimated to have been leaked in 2014 alone. And over 348 million Internet users in the US alone had their identity compromised in 2014.

As if it weren’t bad enough that millions of people have their personal information and passwords floating around out there, hackers can use the same username and password combinations to start trying to login to other websites.

Websites like PayPal, Gmail, Dropbox, and others have reported that hackers have tried logging in to user accounts and successfully gained access when the same username and password combinations were being used.

While services do what they can to stop this type of unauthorized access, simply using a unique password for every account would prevent these break-ins and the resulting fraud.

Every single website and app you use should have a unique, long, strong password. No password should ever be used on more than one site. Furthermore, you should only be creating a handful of passwords yourself. Why? Humans are notoriously bad at creating their own passwords. Leave that work to a password generator.

The only passwords you should have to create yourself are the master password to your password manager and the passwords you use to lock your personal computers and mobile devices.

Getting ready to audit your passwords

Before running the LastPass Security Challenge, you need to:

1. Have a LastPass account

2. Add as many of your passwords to LastPass as you can

If you haven’t yet signed up for LastPass, you can use the recommended download option on our downloads page and create a LastPass account.

Importing is an easy way to pre-populate your LastPass vault. If you use one of our recommended installers to set up LastPass, you have the option to import passwords. The importer will gather any passwords stored in your browsers, and automatically add them to your LastPass vault.

If you have already signed up for LastPass, you can import from your browser or other password managers at any time from the LastPass Icon > More Options > Advanced > Import and follow our instructions to import from the selected source.

You can also start browsing to the sites you regularly use, and start saving the logins to LastPass. For more help on getting started with saving and filling logins with LastPass, see our tutorials in our guide.

Auditing your passwords with the LastPass Security Challenge

Once you have added as many passwords as possible to your LastPass vault, you can run the LastPass Security Challenge.

You can launch the Security Challenge at any time from either the LastPass Extension Icon > More Options > Varnost Challenge.

As soon as you enter your master password and hit Enter, it will run a scan to check your vault locally on your machine. The results will be sent to us later.

Once the results load, you will see three scores at the top of the page.

Your Security Score: This is a combined rating of how strong your passwords generally are, looking at how long and complex your passwords are overall. Whether or not you use two-factor authentication also accounts for 10 points of the total security score. The highest possible score is 100.

Your LastPass Standing: This compares you against all other LastPass users who have run the Security Challenge. You are placed in a percentile according to your current security score. The lower the percentage, the better your ranking.

Master Password Score: This rates how strong your master password is, based on how long and complex it is.

Under “Improve Your Score”, detailed results then show exactly which sites have weak passwords, duplicate passwords, compromised passwords, and old passwords.

In each panel, you can see which accounts you should take immediate action on to update the passwords. Notice in each panel, the sites are split up based on those where you can use “Auto-Change Password” and those where you launch the site directly and login to use the LastPass password generator to replace the password.

Under “Detailed Stats”, you can see a breakdown of how many sites have weak, duplicate, compromised, old, or blank passwords.

The password strength meter gives you a rating for each password listed – passwords under 50% are deemed “weak”. Again there is an action button next to each site that you can use to replace the password automatically or launch the website to replace the password with the generator.

Improving your Security Challenge Score

There are two ways you can immediately start improving your score. Depending on how many passwords you have that are flagged as insecure, the password replacement process can take just a few minutes or more than an hour.

Auto-Change Password: LastPass can automatically replace passwords for you on a growing number of sites. For any website listed with “Auto-Change Password”, you can select that option and LastPass will launch the website, login to that account for you, and update the password to a new one for you. The new password will automatically be saved to LastPass.

Launch Site: For any website listed with “Launch Site”, clicking this open will open the website for you. You can then login with your account, and make your way to the site’s password change page.

Typically, a change password page will require that you re-enter the old password (which you have stored in LastPass) and that you generate a new password.

To generate a new password, click the generate icon that LastPass has filled in the field. In the “generate” menu, look at the new password and make any adjustments if you want (such as making it longer or adding special characters). Once you’re satisfied, click the “use password” option. LastPass will confirm that you want to replace the password.

Once you confirm, LastPass will save the new password to LastPass, and you can submit the new password on the website, too.

Note: If you ever need to retrieve the old password, you can look up the account in your LastPass vault and “edit” the site. Next to the password field, you will see a “history” option to view the password history for that account.

Checking Your Progress

After you’ve made password updates on several sites and eliminated all of your weak and duplicate passwords, you can run the LastPass Security Challenge again to check your progress. Note that your security score will likely have improved.

Any time you open your LastPass vault, you will see an indication of your Security Challenge Score. Continue to run the audit regularly so that you can continue to improve your score and swap out aging passwords.